Related
I know we are comparing 2 different technologies, but I would like to know pros and cons of both. WCF is present for almost a decade now. Didn't anything similar exist in java world until now?
At a very high level they would both appear to address the same tooling space.
However, the differences I can pick up on:
GRPC does not use SOAP to mediate between client and service over http. WCF supports SOAP.
GRPC is only concerned with RPC style communication. WCF supports and promotes REST and POX style services in addition to RPC.
GRPC provides support for multiple programming languages. WCF supports C# (and the other .net languages).
GRPC uses protobuf for on-wire serialization, WCF uses either XML/JSON or windows binary.
GRPC is open source
In short:
GRPC seems a much more focused services framework, it does one job really well and on multiple platforms.
WCF much more general purpose, but limited to .net for the time being (WCF is being ported to .net core but at time of writing only client side functionality is on .net core)
Apart from the answers mentioned, i wish to add that gRPC does not support windows/kerberos authentication, which is the defacto authentication mode in the corporate world.
For this reason, its very hard to migrate from WCF to gRPC.
As tom already mentioned:
WCF uses either XML/JSON or windows binary
while gRPC use binary, which makes messages much thinner and faster to deserialize on the client/server end-point. simply by dropping the human readability feature.
Also, please note that WCF needs extra configurations (and hassles) to comply with HTTP2 to gain its profits, e.g: shorter header and body (which means even faster transmission), more secure and reliable connection, and multiplexing (a.k.a multiple request/response in parallel), server-push and so-on ..., while gRPC has already embraced it.
I have a RESTful WCF service that exposes a method that takes in an XElement as a parameter.
Now i want to know if i need to check the incoming message for XSS attacks first or does the framework handle it by default.
If i need to handle do i use the Microsoft XSS library to perform this operation on the XElement string that comes in from the request.
check the below link for further details
REST Security
REST does not have predefined security methods so developers define their own, and
Often, developers in a hurry to just get... services deployed don't treat them with the same level of diligence as they treat web applications.
I want to update client data with server data and vice-versa. Currently i am using BasicHttpBinding which is faster than wsHttpBinding.
My requirnment is to achive:
Fast data communication
Secure communication
Two binding is suitable in this scenario BasicHttpBinding and wsHttpBinding.
So which Binding should i use ? and What is the difference between BasicHttp and wsHttp binding ?
If you need security, use wsHttpBinding. It implements all the various security features, like message or transport security, client credentials provided as Windows credentials, username/password, or certificate. It supports reliable messaging and a lot more - a whole slew of the WS* standards.
BasicHttpBinding is just that - very very basic. It's more or less ASMX web services - pretty much no settings, no security (other than being routed over HTTPS).
If you need fast, use netTcpBinding - but that doesn't work well over internet connections. If that doesn't work, use basicHttpBinding - it's faster, leaner, less overhead than wsHttpBinding.
So you're back to the classic trade-off: you can have fast or secure - pick one. There's no "magic" way of having both at the same time - security does add overhead and thus slows things down. What is more important to you: secure communications, or fast communications??
wsHTttpBinding implemenets the WS-Security standard for web services communication, however, I believe HTTPS will provide you with sufficient security if you use basicHttpBinding.
You should also keep in mind that wsHttpBinding restricts your interoperability, as wsHttpBinding is only compatible with clients that support WS-* (SOAP 1.2).
In my opinion, I would stick with basicHttpBinding unless there are specific WS-* standard features that you need. In terms of WS-Security, the features it comes with is things like message level encryption (beyond the transport level encryption that HTTPS provides). To me, transport encryption ensures your message is encrypted when transmitted over the wire, the only benefit of having message level encryption is not wanting the overhead of using transport level security, but just wanting lighter weight encryption in specific areas of the message.
Here's a list of WS specifications from wikipedia for your information:
http://en.wikipedia.org/wiki/List_of_Web_service_specifications
Usually we recommend a fast secure transport like SSL for security. This is because any kind of message level security is CPU intensive in encryption/signing.
SO you can just use basic http binding with transport security for most scenarios without too much of trade off in perf.
If you aren't using any of the richer WS* protocols or sessions etc then you can stick with basic http binding.
I'm starting this Wiki to collect best practices about creating interoperable web services (not clients) in WCF. Please share your experience if you know any feature which is not generally interoperable or which is not interoperable with specific platform.
Fairly simple:
avoid any .NET specifics like Exceptions (turn them into SOAP faults)
don't use any binding that start with net like netTcp, netNamedPipes, netMsmq and so forth - use wsHttpBinding for secure WS-* services, and basicHttpBinding for maximum reach / compatibility with even the weirdest client platforms
don't use the NetDataContractSerializer
I recommend WCF REST exposing multiple serialization formats, definitely xml for starters.
General interoperability:
Only HTTP and HTTPS transport channels are interoperable
Negotiation of security credentials is not interoperable (negotiateServiceCredential in message security). It uses TLSNego or SPNego protocols which are not always supported by other platforms.
HTTP streaming can cause troubles as well
Binary encoding over HTTP channel is not interoperable
OleTransactions are not interoperable
Use service security context with care (estabilishSecurityContext in message security). It uses WS-Secure Conversation protocol which is not available on some platforms
Edit:
WSDualHttpBinding and CompositeDuplexBindingElement are not interoperable
Are JSON enabled WCF service secured as they carry Human readable strings
Any article on JSON enabled WCF secrity will help.(link)
JSON-enabled WCF services are REST-based - those basically transmit everythign in clear text, so in order to get any protection against snooping, you'd have to secure the transport layer using e.g. SSL encryption.
Marc
WCF is just a framework to make communcation simpler, it doesn't in and by itself make anything secure.
JSON is just a nice way to transmit data, esp when sending to a webpage, as it can be more compact than xml, and javascript can parse JSON faster than xml since JSON is made for javascript.
If you have any sensitive information you can either encrypt that specific data or you can just use SSL connections, but that can impact performance.